Tuesday, 18 September 2012

Anonymous port scanning using proxychains and tor

When testing a web application or doing a reconnaissance Tor Browser Bundle is all we need to hide our true identity, but what about other activities? In this short post i will explain how to stay anonymous during port scanning. We will need the following tools to achieve this goal:

tor,

proxychains,

nmap.

Proxychains is a proxifier supporting HTTP, SOCKS4 and SOCKS5 proxies. It is shipped with BackTrack Linux by default and already configured to use tor. You can verify this by looking up /etc/proxychain.conf, last line should be like this:

We are ready to fire up nmap:

Now, let me explain what happened there. We run nmap thru proxychains with the following options:

-sT - full TCP connection scan

-PN - do not perform host discovery

-n - never perform DNS resolution (to prevent DNS leaks from tor)

-sV - determine service version/info

-p - ports to scan (for testing purposes i only gave 3 ports to scan, proxying a portscan thru tor makes it really slow, so perhaphs --top-ports option should be taken in consideration)

- self explanatory

In the scan log we can see the "chain" that goes from 127.0.0.1:9050 (tor proxy) to our scanned host. It is possible that we will encounter a situation where this scan fails, because tor endpoints are often blocked (the reason is spam or other malicious activity). The solution may be adding a common, public proxy to the "chain". We can do that by simply editing the proxychains.conf and adding a new entry at the end of the [ProxyList] (be sure that random_chain option is disabled).

That's all for tonight, hope somebody will find this information useful.